Rule X. Outsourcing and Subcontracting Agreements.
Section 43. Subcontract of Personal Data. A personal information controller may subcontract or outsource the processing of personal data: Provided, that the personal information controller shall use contractual or other reasonable means to ensure that proper safeguards are in place, to ensure the confidentiality, integrity and availability of the personal data processed, prevent its use for unauthorized purposes, and generally, comply with the requirements of the Act, these Rules, other applicable laws for processing of personal data, and other issuances of the Commission.
Section 44. Agreements for Outsourcing. Processing by a personal information processor shall be governed by a contract or other legal act that binds the personal information processor to the personal information controller.
a. The contract or legal act shall set out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the personal information controller, and the geographic location of the processing under the subcontracting agreement.
b. The contract or other legal act shall stipulate, in particular, that the personal information processor shall:
- Process the personal data only upon the documented instructions of the personal information controller, including transfers of personal data to another country or an international organization, unless such transfer is authorized by law;
- Ensure that an obligation of confidentiality is imposed on persons authorized to process the personal data;
- Implement appropriate security measures and comply with the Act, these Rules, and other issuances of the Commission;
- Not engage another processor without prior instruction from the personal information controller: Provided, that any such arrangement shall ensure that the same obligations for data protection under the contract or legal act are implemented, taking into account the nature of the processing;
- Assist the personal information controller, by appropriate technical and organizational measures and to the extent possible, fulfill the obligation to respond to requests by data subjects relative to the exercise of their rights;
- Assist the personal information controller in ensuring compliance with the Act, these Rules, other relevant laws, and other issuances of the Commission, taking into account the nature of processing and the information available to the personal information processor;
- At the choice of the personal information controller, delete or return all personal data to the personal information controller after the end of the provision of services relating to the processing: Provided, that this includes deleting existing copies unless storage is authorized by the Act or another law;
- Make available to the personal information controller all information necessary to demonstrate compliance with the obligations laid down in the Act, and allow for and contribute to audits, including inspections, conducted by the personal information controller or another auditor mandated by the latter;
- Immediately inform the personal information controller if, in its opinion, an instruction infringes the Act, these Rules, or any other issuance of the Commission.
Section 45. Duty of personal information processor. The personal information processor shall comply with the requirements of the Act, these Rules, other applicable laws, and other issuances of the Commission, in addition to obligations provided in a contract, or other legal act with a personal information controller.
- Extension of Filing Periods and Suspension of Hearings for March 29 to April 4, 2021: SC Administrative Circular No. 14-2021 (Full Text) - March 28, 2021
- ECQ Bubble for NCR, Bulacan, Cavite, Laguna and Rizal: Resolution No. 106-A (Full Text) - March 27, 2021
- Guidelines on the Administration of COVID-19 Vaccines in the Workplaces (Labor Advisory No. 3) - March 12, 2021